Ok, we are closer now ;) the string that you saw in the capture has many Fs and bearing in mind that every 2 HEX characters is 1 Byte and with the offset 20 we technically start matching on F that is far away from the beginning of the payload (I highlighted the F that we match in Red)
000000000002f42cFFFFFFFFFFFFFFFFFFFFFFFFFFFF //I assume we start counting from 0 I can't capture the ICMP traffic with data pattern right now but I will play it with it on my own later to test it for strings matching. For now I just want to say that it has to do with the host that you are sending ICMP packets from. If pings are sent from ASA then matching starts with offset equal to 4 match start ICMP payload-start offset 4 size 2 eq 0xFFFF if pings are sent from the router matching starts with offset equal to 12 match start ICMP payload-start offset 12 size 2 eq 0xFFFF Having said that my understanding is that we may be entirely screwed on the lab if we rely on the above pattern matching. There must be another way to match on ICMP packet with data or any other packet. I mean matching it on the string or a regex. Eugene From: Karthik sagar [mailto:[email protected]] Sent: Wednesday, July 11, 2012 10:55 AM To: Eugene Pefti Subject: Re: [OSL | CCIE_Security] FPM and ICMP Look at the data itself. It is something like 000000000002f42cFFFFFFFFFF................... I had issued a ping with data pattern of FFFF. "R2#ping 10.13.0.3 data FFFF" But i see in the capture that FFFF actually starts after a string of 0's and some random digits. So, i adjusted the offset. I don't know why that random digits appear before the FFFF.. pattern n the data.
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
